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Abstract 

Binary quadratic Diophantine equations are of interest from the viewpoint of computational 
complexity theory. This class of equations includes as special cases many of the known examples 
of natural problems apparently occupying intermediate stages in the P — NP hierarchy, i.e., 
problems not known to be solvable in polynomial time nor to be A'^P-complete, for example the 
problem of factoring integers. 

Let L{F) denote the length of the binary encoding of the binary quadratic Diophantine 
equation F given by ax1 + bxiX2 + cx2 + dxi + ex2 + f = 0. Suppose F is such an equation having 
a nonnegative integer solution. This paper shows that there is a proof (i.e., "certificate") that 
F has such a solution which can be checked in 0{L{F)^ log L{F) loglog L{F)) bit operations. 
A corollary of this result is that the set = {F : F has a nonnegative integer solution} is in 
the complexity class NP. The result that S is in NP is interesting because it is known that 
there are binary quadratic Diophantine equations whose smallest nonnegative integer solution 
is so large that it requires time exponential in L{F) just to write this solution down in the usual 
binary representation. 

1. Introduction 

There has been considerable interest in bounding the computational complexity of various 
number-theoretic problems. A particular motivation is the Rivest-Shamir-Adleman enciphering 
scheme j31j whose resistance to cryptanalysis depends on the apparent difficulty of factoring 
large integers. Many of these number-theoretic problems can be formulated as one of two types 
of problems involving Diophantine equations. 

(i) Deciding whether a given Diophantine equation has an admissible solution or not. 

(ii) Exhibiting an admissible solution to such an equation when it has one. 

Here an admissible solution denotes an integer solution which may also be required to satisfy 
some side conditions characteristic of the particular problem. The side conditions that arise 
are generally of the following two types: 

(i) Nonnegativity. Certain variables are required to be nonnegative. 
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(ii) Congruence. Certain variables Xi are required to satisfy congruence restrictions Xi = 
ai(mod r) where the and T are given as input. 

In this framework, for example, an integer N is composite if and only if the binary quadratic 
Diophantine equation 

(x + 2)(y + 2) = iV (1.1) 

has a solution in nonnegative integers. The problem of factoring A'^ involves exhibiting nonneg- 
ative solutions to a series of equations (jl.ip . and showing that certain other equations of the 
form (11. ip are solvable. 

There is a close relation between Diophantine equations and the theory of computation. The 
methods developed by Davis, Putman, Robinson and Matijasevic in their solution to Hilbert's 
10th problem established that for any recursively enumerable set A of natural numbers there 
is a Diophantine equation P{xi, . . . , Xn) = such that 

X £ A <^ 3 nonnegative X2, ■ ■ ■ ,Xn such that P{x, X2, ■ ■ ■ , Xn) = 

(see in particular [12], [13], [26].) Adleman and Manders [1], [2] used these methods to establish 
a computational complexity theory based on the notion of recognizing sets for which a given 
Diophantine equation has solutions of size bounded by a given complexity function ^. More 
precisely, they considered sets S given 

X £ S <^ 3 nonnegative X2, ■ ■ ■ ,Xn with L{x2), ■ ■ ■ , L{xn) < <l>(L(x)) 

such that P{x, X2, ■ ■ ■ , x„) = 

where P{xi, . . . fixed Diophantine equation, L{x) denotes the length of the binary 

integer x, and $(t) is a complexity measure which is an increasing function of t. They introduced 
a complexity class D which is a Diophantine analogue of the complexity class NP. It consists of 
all relations R C u;"* specified by a Diophantine equation P{xi, . . . , x^+n) = and a polynomial 
q{t) as follows: 

< xi, . . . , Xm >S R <^ 3 nonnegative yi, . . . , y„ 

such that MAX L{yi) < q{L{xi) + . . . + L{xm)) 

and P(xi, . . . ,Xm,yi, . . . ,y„) = . (1.2) 

It is immediately clear that D C NP. It is an open problem whether or not D = NP; this is 
an important problem in determining the relative computing power of Diophantine equations 
as compared to that of nondeterministic Turing machines. 
The class of binary quadratic Diophantine equations 

ax\ + 6x1X2 + cs\ + dxi + ex2 + / = (1-3) 

is of special interest from the viewpoint of both number theory and complexity theory. From 
the viewpoint of number theory, this class of equations can be used to encode the problem of 
factorization, of solving quadratic congruences 

x^ = / (mod e) 
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(which corresponds to — ex2 — / = 0), of solving Pell's equation 




= 1 



and to encode problems in representation and equivalence of binary quadratic forms. From 
the viewpoint of complexity theory this class of equations seems to represent the borderline 
between tractable and intractable computational problems. It includes as special cases most 
of the known examples of natural problems apparently occupying intermediate stages in the 
P — NP hierarchy (i.e., problems not known to be in P not to be A^P-complete) as well as 
A^P-complete problems. For example, it known that 

(i) S = {p\p is prime} G P (Agrawal, Kayal and Saxena [6]). 

(ii) {a, /?, 7 € uj\3 nonnegative xi,X2 such that axf + 13x2 — 7 = 0} is A^P-complete. (Manders 

and Adleman [24j ) . 

(iii) {a,c G u;|3a;i,X2 such that axiX2 + X2 = c} G NPXNP'' provided NP / NP''. This 
problem is 7-complete (Adleman and Manders [3]). 

(iv) {a, c G u;|3j;i, X2 such that xf — a^x| = c} is unfaithfully random complete (Adleman and 
Manders [3|, [5]). 

All of the sets (i)-(iv) are in D, and hence are certainly in NP. Note that the existence of 
A^P-complete sets in D does not establish D = NP. Indeed, Adleman and Manders [2] exhibit 
a set in P not known to be in D. 

This paper treats the general problem of recognizing those binary quadratic Diophantine 
equations which have nonnegative solutions, which may also be required to satisfy given con- 
gruence side conditions. This problem appears to be fundamentally harder computationally 
than any of the special subclasses of binary quadratic Diophantine equations considered up to 
now (i.e. including (i)-(iv) above) as indicated by the following example. 

Example. Consider the set of equations 



where d is given in its binary representation as input. The equations (II. 4p are often called the 
non-Pellian or anti-Pellian equations. For the subset d = 5^""*"^, the input requires no more 
than 7n bits. In Lagarias [21, Appendix A], it is shown that for d = 5^"+! this equation has 
solutions for n = 1, 2, 3, . . . and that the solution (ti, ui) to this equation with minimal binary 
lengths L{ti), L{ui) is given by 



This implies that the length of any solution x to (jl.4p expressed in binary for these d satisfies 



a;2 - dy'^ = -1 



(1.4) 



ti+uiV5 = (2 + ^5) 



(1.5) 




□ 
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This example shows that there are some binary quadratic Diophantine equations whose 
sohitions are so large that it requires exponential space (in terms of the length of the coefficients 
of the equation) to store any such solution in binary. In addition this shows the set 

n = {d € — dy^ = —1 is solvable in integers } (1-6) 

cannot be established to be in the complexity class D by use of the Diophantine equation 
— dy'^ + 1 = in (1.2). Indeed we cannot hope to show the set (|1.6|) is in NP by guessing a 
solution X, y, because it potentially requires exponential time to check that a given solution x, y 
to (jl.4p is a solution. (However, see Theorem 1.3 below.) These results apply to the general 
quadratic Diophantine equation (jl.Sp . because the problem of recognizing the subclass (jl.4p is 
clearly in P. 

The main result of this paper is that there exist short certificates of the solvability of all 
binary quadratic Diophantine equations which have solutions. By the preceding example, these 
certificates must sometimes verify that solutions exist without exhibiting these solutions in 
binary. The certificates actually contain in a compact form enough information to exactly 
calculate an admissible solution. 

In order to state the main result, we need two definitions. Given a binary quadratic Dio- 
phantine equation F{xi, X2) = where 

F{xi,X2) = axf + 6x1X2 + CS2 + dxi + ex2 + / 

together with a congruence side condition 

xi = ai(mod F) 
X2 = 02 (mod r) 

and < Qi, 0:2 < r we define the length L{F) of the input to be 

L{F) = L{a) + L{b) + L(c) + L{d) + L(e) + L(/) + 3L(r) . (1.7) 

The other definition concerns the measurement of the running time of a program. We shall 
measure running in terms of elementary operations, which consists of a Boolean operation on a 
bit or pair of bits, and an input or shift of a single bit. Our main result is the following. 

Theorem 1.1. Let F{xi,X2) = be a binary quadratic Diophantine equation, where 

F{xi, X2) = axf + 6x1X2 + CX2 + dxi + ex2 + / , 

which has a nonnegative integer solution (xi,X2) satisfying 

xi = Qi(mod r) 
X2 = 02 (mod r) . 

Then there exists a certificate showing that F{xi,X2) = has such an admissible solution which 
requires 0{L{F)^ log L{F) loglog L{F)) elementary operations to verify. 

This result gives certificates imposing two side conditions on the solutions: a congruence 
condition and a positivity condition. The theorem is formulated imposing a positivity side 
condition to give a result compatible with the framework of Hilbert's 10-th problem, and with 
Diophantine complexity theory of Adleman and Manders [3], [1]. An immediate consequence 
of the form of the certificates produced by Theorem 1.1 is the following result. 
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Theorem 1.2. The following sets are all in NP. 

(i) Si = {a, 6, c, d, e, /, Q!i, a2, r G Z|3 nonnegative integers xi, 
X2 with xi = ai(mod r),X2 = a2(mod F) and 
axf + 6x1X2 + CX2 + dxi + ex2 + / = 0} 

(^iij S2 = {a,b,c,d,e, f G Z\3 nonnegative integers xi,X2 with 
axf + 6x1X2 + + dxi + ex2 + / = 0} 

(^mj S3 = {a,b,c,d,e,f £ Z\3 integers xi,X2 with 
axf + 6x1X2 + CS2 + dxi + ex2 + / = 0} . 

Since one can tell in polynomial time whether or not a binary quadratic Diophantine equa- 
tion (11.31) is of the special form 

axj + ex2 + f = (1.8) 

and since the set of equations of the form (|1.8p which have nonnegative integral solutions is 
A^P-complete [21], we conclude that: testing membership in the sets Si and S2 in Theorem 1.2 
are both N P-complete. We are unable to decide whether or not any of the sets Sj above are in 
the Diophantine complexity class D. 

The proofs of Theorems 1.1 and 1.3 use the theory of binary quadratic forms as developed 
by Gauss in Disquisitiones Arithmeticae [15]. A treatment of this theory can be found in Buell 
[8]. The certificates are based on Gauss' operation of composition of forms, and crucially use an 
idea of Shanks [33], which he called the "infrastructure" of quadratic forms. Shanks did not give 
detailed proofs, but the "infrastructure" method was put on a rigorous footing by Lenstra [23] 
in 1980, in the framework of quadratic number fields. This paper gives an alternate justification 
of the infrastructure method in the framework of composition of forms (Lemma 16. 2p . 

In addition to the main theorem, we show that whenever two integer binary quadratic forms 
are equivalent there exist succinct certificates verifying this equivalence (Theorem 17. ip . 

We add some remarks on related work. The following result is a direct consequence of [21^ 
Theorem 1.1]. 

Theorem 1.3. The set 

n = {(i|3 integers x,y with x^ — dy'^ = —1} 

is in NP n co-NP. 

The problem of characterizing the set IT has been extensively studied in algebraic number 
theory, see Narkiewicz ^HJ pp. 124-126], and Redei [30] . 

In another direction Gurari and Ibarra [16j consider a class of Diophantine equations con- 
taining ()1.8p as a special case, but not containing (jl.3p . They show that the subclass of such 
equations having nonnegative solutions is in D, i.e., when such equations have a nonnegative 
solution, they have one that is small enough to serve as a certificate. Their A'^P-completeness 
result then follows from [24j . 

The proof of Theorem 1.1 is outlined in Section 2, and the details appear in the following 
sections. 
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The results of this paper were presented at the 1979 FOCS conference [T9J. A complete 
paper appeared as the 1981 technical report [22]. The present paper differs from this technical 
report mainly in the addition and update of references. Our impetus to put this paper on 
record, after a long delay, is its relevance to Problem 5 of he mathematical problems for the 
twenty-first century formulated in 2000 by S. Smale [34j. 

We remark on related developments. The "infrastructure" method of Shanks was by Buch- 
mann and Williams [7J to give succinct certificates for class numbers and approximate rep- 
resentation of regulators of quadratic number fields, under the assumption of the generalized 
Riemann hypothesis. In 1994 Theil [36] showed that verifying the class number falls in the class 
NP n co-NP, assuming the generalized Riemann hypothesis. The infrastructure method is well 
known to be computationally effective in practice, as described in Chapter 5 of Cohen [TT], and 
has been used in computations of class numbers and regulators of quadratic and cubic number 
fields and function fields. 

Acknowledgment. This work was done while the author visited the University of Maryland 
in 1978-1979, and at AT &T Beh Laboratories in 1979-1981. 

2. Outline of the Proof 

In this section we describe the main ideas of the proof and establish some notational con- 
ventions. 

We deal throughout with a system F consisting of a binary quadratic Diophantine equation 
with side conditions having the form: 

axl + 2bxiX2 + cx\ + 2dx\ 2ex2 + f = , (2.1) 

Xi = ai(mod T), i = l,2, (2.2) 

Xi>0, i = 1,2, (2.3) 

in order to maintain compatibility with Gauss' formulation of this problem. Any system can 
be brought to this form by multiplying (jl.3p by 2. A solution to (j2.ip - (j2.3p will be called 
admissible. 

Binary quadratic Diophantine equations (|2.ip are classified as define, indefinite or degenerate 
according as the determinant 

D = h^ -ac (2.4) 

is negative, positive and not a square, or a perfect square, respectively. This classification is 
useful because the sets of solutions to these three types of equations have qualitatively different 
characteristics. For example, definite and degenerate binary quadratic Diophantine equations 
always have admissible solutions small enough to serve directly as certificates, if they have any 
admissible solutions at all (Lemma I3.2p . The body of the proof concerns the case of indefinite 
binary quadratic Diophantine equations. 

Gauss Art. 216-221] gave a method to determine whether ()2.ip has any integer solutions 
and if so to give a complete parametric description of all solutions. This method is based on 
his theory of integral binary quadratic forms, and in particular on determining the equivalence 
or inequivalence of such forms. Gauss' method easily extends to include the side condition 
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(|2.2p . but (j2.3p adds new complications. We follow the outline of Gauss' method in reducing 
the problem to that of recognizing the equivalence of two quadratic forms. In Section 3 we 
transform the problem to that of studying the equation 

- Dyl = g 

with side conditions. In Section 4 quadratic forms are introduced and the problem is trans- 
formed to that of demonstrating that the reduced identity form / of determinant D is equivalent 
to a reduced form Qred via an equivalence matrix W having certain properties. (See Section 4 
for definitions.) The proof are complicated by the need to bound the size of the least admissible 
solution and to keep track of the nonnegativity condition ()2.3p under these transformations. 

These reductions have not yet addressed the main difficulty in finding certificates of solv- 
ability, which is the possible exponentially large size of the number of binary bits in the least 
admissible solution. This difficulty is transformed into the possible equally large size of the en- 
tries of the equivalence matrix W . In Lemma 14.21 we show that in order to verify admissibility 
we need only know the entries of W to sufficient accuracy to check a certain sign condition, 
and that these entries satisfy certain congruence side conditions. 

The remainder of the proof is devoted to a detailed study of equivalence matrices showing 
the equivalence of the reduced identity form / and reduced forms Qred- In Section 5 we describe 
results of Gauss. Gauss defined a notion of two reduced forms being neighbors. If we form a 
graph in which the reduced forms are vertices, and edges correspond to two reduced forms being 
neighbors, then Gauss showed this graph is a union of disjoint cycles, and the cycle including 
/ contains exactly the reduced forms equivalent to /, which we call the principal cycle. These 
results imply that the associated equivalence matrices have a very special form, which is related 
to the ordinary continued fraction algorithm. However this form alone is insufficient to produce 
succinct certificates. 

The main device of the proof uses another set of relations between these equivalence matri- 
ces, which come from Gauss' operation of composition of binary quadratic forms (Lemma 16. ip . 
The idea of using the action of composition of forms on the principal cycle is due to Shanks [33] , 
who called it the "infrastructure". The "infrastructure" asserts that composition is a kind of 
doubling of distance on the graph of the set of forms. Shanks did not give detailed proofs, but a 
rigorous justification of the "infrastructure" was given by Lenstra [23], in the language of ideals. 
In this paper we rigorously justify it in the language of composition of forms, in Lemma 16.21 
The action of composition can be combined with Gauss' to find a short sequence of composition 
formulae that prove the equivalence of any two given forms in the principal cycle (Lemma 16. 3p . 
In effect each composition causes a squaring, so that if one multiplied out all the compositions 
to write down the matrix giving the equivalence, the resulting entries would potentially have 
exponentially many digits, in terms of the input size. However the correctness of the composi- 
tion can be checked in each formula separately, avoiding this potential exponential blowup. In 
Section 7 we further apply these formulae to give succinct certificates for the equivalence of two 
equivalent indefinite binary quadratic forms. We remark that the equivalence or inequivalence 
of two definite or degenerate quadratic forms can be decided in polynomial time [2QJ.) 

In Section 8 we complete the proof by showing that the formulae of Lemma [6.2l can be used 
to check that the entries of W satisfy a given side congruence condition^ and to evaluate W 
using floating-point computations to enough accuracy to verify a sign condition on the solutions. 
This is of interest if one wishes to recognize positive solutions, as are studied in Hilbert's 10-th 
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problem. It requires significant extra work to establish these extra side condition properties. In 
general it is difficult to rigorously prove results that the number of significant digits present after 
a sequence of floating-point operations, because there is the possibility of losing all significant 
figures when adding two nearly equal floating-point number of opposite signs. We are able to 
show this potential cancellation effect cannot occur here, using a priori information about the 
magnitudes of the quantities being computed at all intermediate steps of the computation. 

Appendix A gives bounds on the period lengths (mod M) of solutions to certain second-order 
linear recurrences. Appendix B gives needed results on floating point computation, concerning 
bounds on the loss of accuracy in floating-point operations. 



2.1. Notations and Conventions. 

We use a notion of size \ \F\ \ of the system (j2.ip ~ (j2.3p given by 

||F|| =MAX(|a|,|6|,|c|,|d|,|e|,|/|,|r|) . (2.5) 

The size ||-F|| is related to the length L{F) in (??) by 

log||F|| < L(F) < log||F|| 4 . (2.6) 

We also need an analogous notion of size ||M|| of a matrix M = [rriij] given by 

||M|| = MAXij\mij\ . (2.7) 

If M, N are m x k and k x n matrices, respectively, then we have the trivial bound 

||MN|| < k ||M|| ||N|| . (2.8) 

For ease in counting operations, we establish the convention that 

, f logo Ixl Ircll > 4 ,„ 

^°S^ = | 2 N<4. (2-9) 

In addition, when counting operations we will sometimes use the function 

M(n) = n(log n)(log log n) (2.10) 

arising from the Schonhage-Strassen bound 0(M(n)) for the multiplication of two n bit binary 
integers. The 0-symbol has the usual meaning, that 0{f{n)) means < c|/(n)|, where cis an 
absolute, effectively computable positive constant (which may differ at each occurrence of the 
0-symbol.) 



3. Bounding the Size of the Least Admissible Solution 

In this section we bound the size of the least admissible solution to definite and degenerate 
binary quadratic Diophantine equations, and show that this solution itself may serve as a 
certificate. The difficult case is that of indefinite binary quadratic Diophantine equations. In 
this case we obtain an exponential upper bound for the size of the minimal admissible solution. 
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We can immediately simplify (j2.ip by an invertible variable change provided D ^ 0, c ^ 0. 
Following Mathews ([25], 258-260) we introduce new variables 



(3.1) 



yi 




'DO' 




Xl 


+ 


be — ed 


y2 




be 




_ X2 




e 



which transforms ()2.ip to the equation 
where 

We note the bound 

Inverting the system (|3.ip yields 



2/1 - Dyl = g 



a b e 
bee 
def 



\9\ < 6||-F| 



(3.2) 

(3.3) 
(3.4) 



Xl 
X2 



D » 



_b_ 1 

oD c 



yi 
y2 



+ 



ed — be 
D 

ae — bd 
D 



(3.5) 



We have obtained the following. 

Lemma 3.1. Let (2/1,2/2) be an integral solution to 13.^) . and let a modulus T be given. Then 
{xi,X2) given by i3. 5|) is a rational solution to /i2.1]) . The congruence class of (2/1,2/2) (mod 
cDF) determines whether xi,X2 is integral, and if so specifies {xi,X2) (mod T). 

We now bound the size of solutions to define and degenerate binary quadratic Diophantine 
equations. 

Lemma 3.2. Suppose that a given binary quadratic Diophantine equation is either definite or 
degenerate. If it has any admissible solutions at all, then it has an admissible solution {xi,X2) 
with 

MAX(logxi,logX2) < 81og||F|| + 8 . (3.6) 
Proof. There are several cases. 



Case 1. D ^ 0, c 7^ 0. Then the change of variables (|3.ip takes integral solutions of (12. ip 
to integral solutions of 

yl - Dyl = g . (3.7) 
In the definite case D < 0, hence all integer solutions to ()3.7p have 



MAX{\yi\,\y2\) < VW\ ■ 
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Using (|3.4p and ()3.5p . we see that all integer solutions to (2.1) must have 

MAX{\xil\x2\) < \\F\\^ . 
This implies (j3.6p . In the degenerate case D = is a perfect square and (|3.7p becomes 

{yi + hy2){yi - hy2) = g ■ (3.8) 
Hence each integer solution (2/1,^2) gives rise to a factorization g = gig2 where 

yi + hy2 = gi 

yi - hy2 = 52 • (3.9) 

Solving (3.9) for yi,y2 we obtain 

MAX{\yi\,\y2\) < \g\ 

using (j3.5p again, this implies (|3.6p . 



Case 2. D / 0, c = 0, a 7^ 0. Interchange xi and X2, proceed as in Case 1. 
Case 3. D ^ 0, a = 0, c = 0. Then (l2T|) yields 

(6x1 + e)(6x2 + d) = de — — . 
A similar argument to ()3.8p . (3.9) shows 

M^X(|xi|,|a;2|) < 3||F|p 

in this case, implying (j3.6p . 
Case 4. D = 0. 

axf + 26x1X2 + CX2 = m(axi + (3x2)^ 
where m, a, /? are integers, m / 0. Let 

z = axi + /?X2 • 

Suppose first af3 7^ 0. Substituting X2 = ^-^^ in ()2.ip we obtain 



if ea — d/3 = 0, and 



ml3z^ + 2ez + fp = 
mPz^ez + f(3 

xi = -Tr( JJ^ (3-10) 

2(ea — dp) 

if ea — d(5 ^ 0. If ea — (i/3 = then 2; assumes one of two values, xi may assume any value, and 
(j3^ is easy to verify. If ea - d/3 7^ substitute xi = '^-^ into (pT]) to get 



maz^ + 2dz + /a /o \ 

= 2(e« - dp) ■ ^'-''^ 
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Now the congruence class of z(mod 2{ea — dp)T) determines whether (xi,X2) given by (|3.10p . 
(]3.1ip are integral, and if so specifies their congruence class (mod F). Hence any specified 
(xi,X2) (mod r) that can occur is given by some z in any block of 2{ea — d(3)T consecutive 
values of z. Now consider what signs of (xi,X2) can occur. The sign of xi changes when the 
numerator of the right side of (|3.10p changes sign, and the sign change occurs form some z with 
\z\ < 6||-F|p. A similar result holds for the sign of X2 via (jS.lip . Hence if there is an admissible 
solution, there will be one with 

\z\ < 6||F|p + \2{ea - dp)T\ < 10\\F\\^ . 

Using and (l3lT|) then gives (ISTBI) . 

Finally suppose a/5 = 0. If a = /? = then (j2.ip is linear and (|3.6p is easily verified. If 
a = and /? / then use (|3.10p and replace (|3.1ip with 

z 

The same argument as in the case a/3 / now proves ()3.6p . The case a / 0, /3 = is treated 
similarly. □ 

Lemma 3.2 shows we need only consider indefinite binary quadratic Diophantine equations 
in the sequel. In the indefinite case ac 7^ in ()2.2p and hence the variable change (j3.ip is 
invertible. We now reduce the problem of finding admissible solutions to ()2.ip to that of finding 
an admissible solution (suitably defined) to yl — Dy^ — 9- 



Lemma 3.3. Suppose that the system Il2.1\) - f2^) has an admissible solution x = (xi,X2). 
Then one of the following holds. 

(^) 

\\x\\ < 200||F||^ . (3.12) 

(a) The equation 

yl - Dyl = g (3.13) 
with g given by i3. 3\) has a solution (^1,2/2) such that 

2/1 > (3.14) 

and one of 

y2>0 and c{-b + /D) > , (3.15a) 

2/2 < and c{b + /D) > , (3.15b) 
holds. In addition (2/1,2/2) (mod cDT) satisfies 

cyi + c{be — cd) = cDai{mod cDT) , (3.16) 

— byi + Dy2 — c{ae — bd) = cZ)a2(mod cDT) . (3-17) 
Conversely, if the system h3.13\) - l3.11^ has a solution, then h2. 1\) has an admissible solution. 
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Proof. Suppose the admissible solution bx has 

||x|| > 200||F||6 . (3.18) 

We show that the solution (yi,y2) to ([3l3]) given by ([M]) satisfies ([3lM -(3.l7). Now (l33]) 
shows that (fHT^ . (3.17) hold. 

We first show (|3.18p implies |yi| and \y2\ are large. If ||y|| < 90||i^||^ then absolute value 
estimates in p.4p yield 

||x|| < igoilFii*^ 

contradicting (3.19). So ||y|| > 90||F||^ If \yi\ < 90\\F\f then \y2\ > 90\\F\\^ then 

yf > D{y2f - \g\ 

implies 

lyil > 89||F||5 , (3.19) 

so this holds in all cases. Then 

2 > yl - |g| 
y2> ^ 

implies 

\y,\>^\\F\t . (3.20) 



Now suppose yi < 0. Then by (j3.ip 

yi — {he — cd) = Dxi > 

so 

\yi\ < \he - cd\ < 21||F|p , 

contradicting (3.19). Hence (|3.14p holds. 
To prove (3.15), note (j3.13p yields 

\yi + yal \yi -VDy2\ = \g\ < 6\\F\f . (3.21) 

Since 

yi + ^D y2 = {yi-VD ya) + 2^/15 ys , 

([3:20]) implies that 

MAX{\yi + y/D yal, |yi - ^/D yaj) > 88\\Ff . 

Hence (3.21) yields 

MIN{\yi + yal, |yi - yaj) < \\F\\-^ (3.22) 



Consequently yi is very close to one of itvD y2. 
We consider first the case that 



\yi 



y2| < llFir^ . (3.23) 
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So 7/2 > in this case. Then (|3.5p yields 

cDx2 = —byi + Dy2 + c{—he + cd) — eD 

= VD{-b + VD)y2 + C (3.24) 

where 

Id < ||F|| + 8||F||^ < 9||F||^ . (3.25) 

We claim 

\ - b + cVd\ > -\\F\\-^ . (3.26) 
3 

Indeed, suppose | — 6 + VD\ < 1. If so, then | — 6 — Vd\ > 1. So 

, , ^, \b'^-D\ 1 



I -6-/D| - 3||F||2 ■ 
Now ([3:20]) and (13:26]) imply 

|/D(-6 + ^)y2| > 29||F||^ . (3.27) 
Then comparing (3.24), (|3.25p and (|3.27p . we obtain 

sign {cDx2) = sign (/D(-6 + VD)y2) ■ (3.28) 

Since X2 > 0, this yields 



sign (2/2) = sign (c(-6 + V-D)) 
which proves (3.15a). Finally we consider the case 

\yi + VDy2\ < \\F\\-'^ . 

Then 2/2 < in this case. An analysis similar to the previous case shows that 

sign (7/2) = - sign {c(b + VD)) 

which gives (3.15b). 

To prove the converse, suppose we have a solution (yi, 2/2) to ()3.13p - (j3.17p satisfying (3.15a). 
Let {ti,ui) be the minimal positive solution to Pell's equation 

- Du^ = 1 . (3.29) 

Let 

tk + Uk\^ = {ti + ui\^f . (3.30) 

It is well-known that {tk,Uk) satisfy (j3.29p and that for any modulus M there exists an integer 
p{M) such that 

tk = I (mod M) 

Uk ^ (mod M) (3.31) 
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whenever 

p{M)\k . 

(See Appendix A.) Certainly ti^,Uk ^ oo as ^ cxd. We now set 

yl+y*2VD = {yi+y2VD){tk + UkVD) (3.32) 

where p{cdT)\k. Note that since yi,y2,tk,Uk are all positive, yf > tk,y2 > Uk- By picking k 
large enough, we may guarantee 

MIN{yl,y*2)>88\\F\f . (3.33) 

Furthermore (3.31) applies with M = cDT guarantees that 

y* = yi(mod cdT) i = 1,2 . (3.34) 

Also (|3.32p and (|3.29p guarantee that (1/1,2/2) satisfy (|3.13p . Now let (x^,X2) be the rational 
solution to (12. ip associated to (2/1,2/2) by (|3.5p . Now ()3.34p shows that (2/1,2/2) satisfies (I3.16p . 
(|3.17p hence {xl,X2) is an integer solution and 

X* = ai(mod T) . 

We claim {xl,X2) is nonnegative. If so (xi,X2) is the desired admissible solution. Using (13. 5p 
and (|3.33p . we obtain 

Dxl >y*i- \be-cd\ > 86\\F\f 

hence > 0. Now (|3.33p shows the argument (j3.2ip - (j3.22p is valid here, and since 2/1 > 0, 
2/2 > we obtain 

\yl-VDy*2\ < \\F\\-' . 

The argument (3.24)-(3.28) also assumed only the truth of (j3.20p . so it is valid here and we 
obtain 

sign {cDx2) = sign {^/D{~b + c^/D)y2) . 



We are given 2/2 > 0, c{—b + cV D) > 0, hence X2 > follows in this case. 

Now assume a solution exists to (|3.13p - (|3.17p satisfying (3.15b). In this case set 

yl + 2/2 = (2/1 + y2VD){tk - UkVD) 

where p{cDr)\k. Since 2/1 > 0,2/2 < 0,tk > 0,Uk < 0, we obtain 2/1 > 0,2/2 < and 2/1 > 
ifci I2/2I — l^fcl • By picking k large enough, we ensure that 

MIN{\yll |2/^|) >88||F||5 . (3.35) 

Also 2/i = 2/j (mod cDT), and (2/1,2/2) satisfies (|3.13p . An analogous argument to the case 
treated above now shows that {x1,X2) associated to this (2/1,2/2) is an admissible solution to 
(HH). □ 

It remains to bound the size of admissible solutions to the equation 

yj - Dyl = g . (3.36) 
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The set of solutions to this equation has a simple form related to solutions of the Pell equation 



^2 _ Du^ = 1 . 

Let (ti,Mi) denote the minimal positive solution to this equation, the fundamental solution, 
and let 

e = ti+uiy/D. (3.37) 
A solution (yi,y2) to (|3.36p is called basic provided rj = yi + 2/2 has 

1 < < e . (3.38) 

Lemma 3.4. For a positive squarefree D the complete set of solutions {xi,X2) to 

Vi - Dyl = g 

is given by 

yi + y2VD = r^e^ (3.39) 
for some basic solution rj and some integer k. There are only a finite number of basic solutions. 

Proof. Suppose (2/1,2/2) is a solution to (j3.36p . Then for some integer k, 

e'' < \yi + y2VD\ <e^+^ . 
Consequently for the correct choice of sign 

r] = e~^{xi + X2^) (3.40) 

is a basic solution. 

There are only a finite number of basic solutions since 

r] = yi- y2'/D = g/rj 

using ()3.36p . Hence 

|yi| < |??| + I?? < e + Iffl 

M < (3.41) 

□ 

We use the following well-known upper bound on the size of the fundamental solution of 
Pell's equation. 

Proposition 3.1. (Hua [17]) Let (ti,ni) be the minimal positive solution to Pell's equation 
- Du^ = 1. If e = ti +ui\fD then 

e < D"^ . (3.42) 
We can now establish the following bound. 
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Lemma 3.5. Suppose that the equation 

yl - Dyl = g (3.43) 

has an integral solution (^1,2/2) with 

Vi = aj(mod M), i= 1,2 , 
and with {yi,y2) having prescribed signs. Then it has such a solution with 

MAX{logyi,logy2) <9\\E\f/\log\\E\\f (3.44) 
where \ \E\ \ = MAX{\D\, \g\,M). 

Proof. Consider the set of solutions {yi,y2,k) to (j3.43p where 

yi,fc + y2,fe/D = ??e\ (3.45) 

k runs through the integers, and 

V = 2/1,0 + y2,o\^ 

where (yi, 0)^2,0) is a fixed basic solution of ()3.43p . We consider these solutions from the 
viewpoint of their sign patterns and congruence classes (mod M). 

For sign patterns, we will show that the signs of (2/i,fc, y2,fc) become constant for all sufficiently 
large positive k, and also for sufficiently large negative k. We show sign (yi^k) is constant for 
all k with 

k > log \g\ , (3.46) 

and is constant for all k with 

A;<log|5|-2. (3.47) 



The same holds for 2/2, fe- To do this, we use the standard notation a = a — bv D for the algebraic 
conjugate of a = a + 6i/D- Suppose ()3.45p holds. Then 

yi,k = livie)' + m") ■ (3.48) 
Now f] = g/rj by (|3.43p and e = e^^. Now suppose 

/^>log|5| > (loge)-iloglffl (3.49) 

since the smallest e that occurs is e = 2 + \/2> for = 3, and so e > e. Then since r/ > 1, eo < 1, 

wf\>\g\>\her^\ = m'\- 

V 

In this case yi^k has the same sign as r], and is constant. Similarly when (|3.47p holds we find 
yi^k has the same sign as f/. (Use the fact 1 < |?/| < e.) Similar arguments apply to 2/2, fc using 
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For congruence conditions, in Appendix A we show that for 

tk + UkVD = e'' (3.50) 

and any modulus M, the sequences {tk},{uk} formed when k varies are both periodic (mod 
M), and that the minimal positive period p{M) of both series jointly has 

p{M) < 2M(log M + 1) . (3.51) 

Using (j3.45p this guarantees that the sequences {y2,fc} are both periodic (mod M) with 

period p{M). 

Combining these results, we find that all possible combinations of sign patterns and con- 
gruence conditions (mod M) that occur for (yi,fc,y2,fc) in the sequence (I3.45P occur for some k 
with 

|d| < 4M(logM) +log5 + 2 . (3.52) 



In this circumstance 



\yi,k\ = l\r]{e)'+f]ie)''\ 



> lie''^' + \9\)<\g\e''-' 



using (|3.38p . |7y| < \g\, and e < 1. Hence 

logyi,fc < logg + (/c + l)loge 

< (4M(logM) + 21ogc/ + 3)\/Dlogi:> (3.53) 

using Proposition 3.5. Using 

we obtain the same bound (3.53) for logy2,fc- The bound (3.53) implies 

M^X(logyi,logy2) <9||^|p/2(log 11^11)2 . 
By Lemma [3.41 all integer solutions to (3.43) fall in one of the sequences ()3.45p . and this proves 



Lemma 3.6. Any indefinite binary quadratic Diophantine equation that has an admissible 
solution has such a solution {xi,X2) with 

M^X(logxi,logX2) < 210||F||^(log||F||)2 . (3.54) 
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Proof. We apply the results of Lemma 13.31 and Lemma 13. 5i Using (j3.35p a solution (yj , ) 
of (j3.43p will correspond to an admissible solution {xl,X2) of (12. 1[) provided (ii) of Lemma 3.3 
holds and 

MINi\yl\, |y2*l) >88||F||5 . 
By Lemma 3.4 we may write (yj, y^) = {yi,k, 2/2, fc) for some r] and k in (j3.45p . But for 

k > 71og||F|| + 11 

we have 



\yi,k\ > l{\ve'\-m'\ 



(3.55) 



(3.56) 

> e^i°gll^ll+iO- |y| >88||F||5 . (3.57) 
A similar bound holds for \y2,k\ ■ We obtain the same bound for 

k < -71og||F|| - 13 

using 

\yi,k\ > \{\m'\-\ve'\) 

and similarly for y2,k- Combining these inequalities with the argument of Lemma 3.6, we 
find that if (j2.ip has an admissible solution (xi,X2) it has one whose corresponding solution 
{yi,k,y2,k) to (|3.43p (for some r/) has 

\k\ < 4|cL>r|(logcL>r) 101og||F|| +20 
< 90||F||^(log||F||) . 

The same argument as Lemma 3.6 then gives 

M^X(logyi,,.,logy2,fc) < 100||F||5(log ||F||)2 

and ([33]) then gives (f33i]) . □ 

4. Integral Binary Quadratic Forms 

The problem is now reduced by Lemma 3.3 to that of studying the solutions of the equation 

y2 - Dyl = g . (4.1) 
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To proceed further we use the theory of integral binary forms. A final necessary step before 
applying this theory is to reduce to the case where 2/1,2/2 are relatively prime. If 2/1,2/2 is a 
solution to (j4.ip and (2/1,2/2) = h set 



obtaining the equation 



yi 



Dzi 



{ZI,Z2) 



G 
1 . 



(4.2) 



(4.3) 



If we determine 2:1,-22 (mod cDT) then we certainly know 2/1,2/2 (mod cDT). 
An integral binary quadratic form Q = [a, 25, c] is given by 



Q(xi, X2) = ax\ + 26x1X2 + c = x"^Qx . 



Here 
and 



Q 



[Xl,X2\ 

a h 
h c 



is a symmetric matrix associated to the form Q. A form Q is properly primitive provided 
(1, 26, c) = 1, and we shall only deal with properly primitive forms in the rest of this paper. We 
say a form Q primitively represents an integer G provided 

Q{zi,Z2) = G (4.4) 

for two relatively prime integers zi,Z2. The determinant D of a form Q = [a, 26, c] is given by 



D 



ac 



(4.5) 



The identity form I is [1,0,-1?]. In this terminology (4.3) asserts that the identity form 
primitively represents G. 

Following Gauss we will transform the question of primitive representation of integers by a 
form to that of determining the equivalence of two forms. A form Qi is equivalent to a form 
Q2 if there is a 2 x 2 integer matrix S with det(S) = 1 such that 



S*QiS = Q2 



(4.6) 



This is an equivalence relation, and we denote it by Qi ~ Q2- This equivalence relation 
preserves the determinant D, the property of being a properly primitive form, and the property 
of primitively representing a given integer G. 



Lemma 4.1. Let zi,Z2 satisfy (4j^- There exist Z3,Z4 such that ziz^ — Z2Z3 = 1 and the 
zi 23 

Z2 Zi 



matrix Z 



shows L ^ Qq where 

Qo = [G,2B,C] 



(4.7) 
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where 

MAX{2\B\,\C\) < \D\+4G^ . 
For any such choice of B,C, z^, Z/j^ we have 

MAX{\zi\) <6{\zi\ + \D\+G^) . 
MIN{\z,\)>-^{\zi\-5\D\-5G^) . 



Zl Z3 
Z2 4 



3VD 

Proof. Choose z^, z\ so that ziz\ — Z2Z^ = 1. Then S* 

Q = [G,2B*,C*] . 



(4.8) 

(4.9) 
(4.10) 



shows I ^ Q* where 



Now select A so that Si 



Then 



so 



Also / w Qo via 



1 A 
1 



shows Q* Qo where 
Qo = [G,2B,G], 0<B<\G\ . 



G 



\G\ < \D\ + G^ . 



(4.11) 



Z = S*5i 



Zl Z3 
Z2 Z4, 



Now suppose zs,Z4,B,G are chosen to satisfy (4.7), (4.8) and so that Z shows / « Qq. To 
bound Z2, Z3, Z4 we observe that 

(4.12) 
(4.13) 
(4.14) 



Then (jiJ^ gives 



Hence 



\zi\ 



G 


= zl- 


Dzl 


B = 


ZlZ-i - 


DZ2Z4 


G 


= 4- 


-Dzl 


D\Z2\\ 


\zi\ 


\G\ 

+ VD\z2\ 



<\G\ 



^^(|zi|-|G|)<|z2|<-^(ki| + |G|). 



Similar arguments using ()4.1ip and (14. 4p show 



\\Z3\-VD\Z^\\ < 



\D\ G^ 



\Z3\ +VD\z4\ 



< \D\ + G^ 



yielding 



L(|Z3| - \D\ - G') < \z,\ < -^(|Z3| + \D\ + G') 



(4.15) 
(4.16) 

(4.17) 
(4.18) 
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Next note that 

B = ^{(zi + VDz2){z3-VDzi) + {zi-VDz2){z3 + VDz^)} 

^ 1 h, + VDz2 ^ z, + VDzA 
2 [z3 + VDzi zi + VDz2j 

Viewing this as B = ^G{x + ^) then < i? < |G| gives 

^<N<3. 

If Z3, Z4 have the same sign, (j4.9p yields 

\{\zi\ + Vd\z2\) < \Z3\ + /D|z4| < 3(|zi| + Vd\z2\) (4.20) 
so by (|4.16p we obtain 

|Z3| <6(|zi| + |G|) (4.21) 

and 

\z,\<-^{\z,\ + \G\) . (4.22) 
Adding KTT\\ and ^Mi), we obtain 



2|z3| > ^{\zi\ + ^/D\z2\)-\D\-G^ 



> \{2\zi\ - ^\D\ - AG^) (4.23) 



using ([4T5]) . Then (l4T8l) gives 

1 



Z4|>-^(|^i|-|i?|-5G2). (4.24) 
If 23, Z4 have opposite signs, we use 

B - + zs-^VDz^] 

2 [ 2:3 - \/l)2:4 Zi - VDz2 J 

and again conclude (|4.20p ~ ()4.24p by similar arguments. □ 

We shall simplify the situation further by replacing the form Qq given by Lemma 14.11 by a 
reduced form Qred- An indefinite form Q = [a, 2b, c] is reduced when 

< 6 < 

VD-b < \a\<VD + b. (4.25) 



21 



It can be checked that these inequahties imply that 

VD-b<\c\<VD + b 

so that 

IQredl < 2Vd . (4.26) 

We use the following result. 

Proposition 4.1. Given any indefinite form Q, there is a unimodular matrix Si and a reduced 
form Qrcd such that Q ~ Qrcd via Si, and 

logllSill =0(log||Q||) . (4.27) 
Proof. This is Lagarias [20, Theorem 4.1]. □ 
The identity reduced form 

i=[l,2X,fj] (4.28) 

is defined hy I ^ I via 

where X = [VD]. I is a reduced form. The results obtained so far are summarized in the 
following lemma, which will provide one part of the certificates. 

Lemma 4.2. Consider the binary quadratic Diophantine equation E given by 

yl - Dyl = g . (4.30) 

This equation has a solution {yi,y2) satisfying 

yi = ai{mod M), i = 1,2, (4.31) 

and 

sign{yi) = sign{i), i = 1,2, (4.32) 

where sign{l), sign{2) are specified signs, provided there exist integers h, B, C and2x2 matrices 
S, W having the following properties. 

(i) h is a positive integer and G = gjh? is an integer. 

(ii) The quadratic form Qq = G, 2B, C] is property primitive of determinant D. 
(Hi) The matrix S shows 

Qo ~ Qrcd via S (4.33) 

where Qrcd is a reduced form, 
(iv) W shows 

i « Qred via W (4.34) 
where I is the reduced identity form, Qrcd is given by ^.33 ). 
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(v) Define U 



Ui Us 
U2 Ui 



by 



U 



1 -A 
1 



WW 



where A = [yD]. The congruence class o/W(mod M) is such that 

hui = ai(mod M), i = 1,2 . 

In addition 

sign{ui) = sign{i), i = 1,2 . 



(4.35) 



(4.36) 



(4.37) 



In fact yi = hui,y2 = hu2 then satisfy li4-30{ )- ^4-32 ). Conversely, if such an admissible 
solution exists, then there exist integers h, B, C and 2x2 matrices S, W having properties 
(i)~(v) and satisfying in addition the following bounds, where \ \E\ \ = MAX{D, \g\,M). 



(vi) 
(vii) 
(via) 
(ix) 



\ogh = O(logll^ll) 
MAX{\B\,\C\) <D + 4:g'^, 
log||S|| =0(log||i?||), 
log||W|| =0(||ii;||3/2(log||ii;||)2) 



(4.38) 
(4.39) 
(4.40) 
(4.41) 



Proof. Suppose that properties (i)-(v) above hold. We check that yi = hui,y2 = hu2 satisfy 
(4.30)-(4.32). The congruence and sign conditions hold by (4.36), (4.37), since /i > by (i). 
To show (I4.30p holds, we observe that 

I Qq via U 
where I = [1,0, —D] and U is given by (j4.37p . For 



(S*) 



1 -A 
1 



where S* is given in (j4.29p shows I ^ I, W shows I ~ Qred by (iv), and S ^ shows Qrcd ^ Qo 
by (iii). Thus 



u 



1 
-D 



U 



G B 
B C 



(4.42) 



Examining the upper left corner of this identity gives 



ul-Dul = G . 



Using G = glh^ by (i), (1430]) follows. 
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Now suppose an admissible solution (yi, 1/2) satisfying ()4.30p - (|4.32p exists. Using Lemma [3.5l 
we may suppose 

A/MX(logyi,logy2) < 9\\E\f/\log\\E\\f . (4.43) 

Set 

h = g.c.d.{yi,y2) . 
and G = g/h?, establishing (i). Since h divides g, 

logh = 0{\og\\E\\) 

giving (vi). Letting zi = yi/h, Z2 = 112/ h, we may apply Lemma 4.1 to produce B, C satisfying 
(ii), (vii), and a matrix Z showing / ~ Qq. The bounds (14. Sh imply 



and ()4.9p gives 



logiigoll = o(iog||ii;| 



log||Z|| = 0{\\E\f/^{log\\E\ 



(4.44) 



(4.45) 



using (I4.43p . since zi divides yi. Proposition 14 . 1 1 and (14.441) produces an S satisfying (iii), (viii 
Take U = Z in (f05]) and define 

' 1 A 
1 



W 



zs . 



1 A 
1 



The ui = zi,U2 = Z2 so (v) holds. Also 
Qq Qred) hence (4.40) shows (iv) holds. Finally (|4.46p gives 

IIWII < 8||S*|| IIZII IISII 



(4.46) 

shows / « /, Z shows I ^ Qq and S shows 



where S* 



1 A 
1 



with A = [V^l • Hence 



log||W||=0(||i?||3/2(log||£;||)2) 

using (j4.45p and the already established (viii). □ 

5. Equivalence of Reduced Indefinite Binary Quadratic Forms 

The problem has now been simplified to that of finding a particular matrix W which demon- 
strates the equivalence of the identity form / and a reduced form Q^ed- Gauss [11, Arts. 183-205] 
showed that such matrices have a special structure, which we describe below. 

A reduced form Qi = [ai,2bi,ci] is said to have a reduced form Q2 = [a2,2b2,C2] as a 
right-neighbor provided 02 = ci. In this case Qi ^ Q2 via S where 



1 
-1 A 



and A is specified by 



- - 61 < Aci < -Vd -bi + \ci\ 



(5.1) 



(5.2) 
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Each reduced form has a unique right neighbor. Let Q^^^ denote the right-neighbor of /, and 
the right -neighbor of Q^^ ^\ Let S^-^^ denote the matrix given by dSI]), ^ taking g^^-^) 
to Q^^\ The set of Q^^^ form a closed cycle of even period 2p, i.e., there exists some Q^^^ = I 
and the smallest k = 2p. We call this cycle the principal cycle. For 1 < j < 2p, I ~ Q^^^ via Lj 
where 

(5.3) 



Lj = S(i) . . . S(^') . 



We call Lj a simple equivalence matrix. The matrix U = Jj2p is called the fundamental auto 
morph. If we set 



U 



u w 

t V 



the condition I k, I via U shows that u satisfies Pell's equation 

- Du^ = 1 . (5.4) 
In fact \u\) is the least strictly positive solution to (j5.4p . the fundamental solution, and 



U 



u t 
t Du 



(5.5) 



We may consistently extend the definition of Lj to apply for all integers j by first defining S 
for negative j by 

where j = jo (mod 2p) and < jg < 2p, using (j5.3p for all positive j and using 

L_j = S(-^')...S(-i) 
for j > 0. In that case, for any integer k we have 

Lj+2fcp = U'^Lj . 

Gauss proved the following result (see Mathews [251 Arts. 76, 88], Venkov [37j ) . 



Proposition 5.1. (Gauss) Let I k, Q via T where Q is reduced. Then there is some j with 
1 < j < 2p such that Q = Q^^\ Furthermore there is an integer k such that 



±VLj = ±L 



'j+2kp ■ 



(5.6) 



For the proof of Theorem 11.11 we need more detailed information about the equivalence 
matrices Lj. We first introduce the notation that if a matrix M = [m-jj], then 



|M| = [\mij\] . 

Lemma 5.1. The equivalence matrices Lj have the following properties. 



(5.7) 



(i) For j > the entries of Lj have the sign patterns 
according as j = 0, 1, 2 or 3 (mod 4)- 



++ 




-+ 








+- 


++ 




-+ 








+- 
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(ii) For j > 0, 
and 



is(i)|...is(^')| 



is(-^')|...is-«l . 



(5.8) 



(5.9) 



(in) The four entries ofLj = (kj) are all about the same size in the sense that for any \j\ > 2, 

MAX\h 



1 < 



MIN\li 



< 4{D + Vd) . 



(5.10) 



Proof. We first observe that a reduced form Q = [a,2b,c] has by definition (I4.20p \b\ < y D 
hence 

ac<0. (5.11) 

The reduced forms Q*^*^ = [aj,26i,Cj] in the fundamental cycle have a^+i = q. Noting Q(°) = / 
so ao = 1, by induction using (|5.11[1 we obtain 



Now (4.25) and imply that 
so that (I5TTD . (f5J2]l yield 



{-Vfa, > . 

AjCi„i < , 
-1)'+^,, > . 



(5.12) 



odd, 



To prove (i) and (ii), note (I5.13P implies S*-*^ for i > has the sign patterns 
++ 



-+ 
-+ 



(5.13) 
when i is 



when i is even. Then it is easy to establish by induction on i > that the entries 



of Lj, have the sign patterns 



++ 




-+ 








+- 


++ 




-+ 








+- 


i > shows no cancellation occurs 


For i < 0, 


we observe first that 





/ 


-1 


" A 


-1 " 






-1 


A 




1 










according as i = 0,1,2,3 



Then note Aj = Ai_2p so (|5.13p holds for z < as well. This implies that for i < 0, S^*^ has the 



sign patterns 



++ 



if i is odd, 



+- 
+- 



+- 



if i is even. Another induction 



if i is odd, 

shows for i < that the entries of Lj have the sign patterns 

according asi = 0, 1, 2 or 3 (mod 4). Then (j5.9p follows by 

To prove (iii), consider first the case j > 0. Using (j5.8p . we need only bound the entries 



++ 












++ 


++ 




+ + 










induction. 







1 







1 


1 |Ai| 




1 





(5.14) 
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The formulae for |L, | is exactly that of the ordinary continued fraction algorithm, where 



Pj-i Pj 
q-j-i Qj 

and 1^ is the jth convergent to = [0, |Ai|, IA2I, • • •]• In particular, for any j > 2 we have 



(5.15) 



Now ()5.2p implies 
so (j5.15p yields 

In addition 



IA2I _ P3 ^ Pj ^ P2_ 1 

IA1A2I + 1 q3 ~ Qj ~ 92 I All 

1 < |Ai| < 2^/D 



2VD + 1 Qj 



Qj+i = + ^ (l^il + 
Combining (j5.16p . (j5.17p . we obtain 

Pj < Pj+i < Qj+i 

Pj < Qj < Qj+i ■ 



Finally 



(5.16) 

(5.17) 
(5.18) 
(5.19) 

(5.20) 
(5.21) 



and since > 1 for j > 2 by (j5.15p this implies (jS.lOp on this range. The case j < is treated 
analogously to j > 0. In this case 



Pj+i Pj 



however. □ 



We remark in passing that there is a close connection between the Aj and the continued 
fraction expansion of ^Td. Let 

^Td = [/icpti,... ,/U„] 

where [//i, . . . is the purely periodic part of the expansion and n is the shortest period. 
Then n = 2p if n is even, and n = p otherwise. In either case fii = |Aj| for 1 < i < 2p. 
Our next step is to estimate the size of the entries of Lj in relation to j. 



Lemma 5.2. For all j > 0, 



and 



log||Lj+2|| > log||Lj|| + 1 , 
log I |Lj 1 1 < log I |Lj+i 1 1 < log I |Lj 1 1 + log + 2 . 



(5.22) 
(5.23) 
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Proof. For the bound ([O^]) . we use I^J^, ([513]) to obtain 

qj+2 = (|Aj+iAj| + l)qj + |Aj+i|gj_i > 2qj . 

The left side of (fOSl) follows from (5.21). Finally dOT]) implies 

log|m-+i|| < log||Lj|| + log(2/D + 1) 

from which the right side of (15.231) follows. 

Analogous inequalities to (j5.22p . (j5.23p hold for j < 0. Using Lemma [5^2] it is easy to prove 
by induction that for j > 1 we have 

^IjI <log||L,|| < |i|(logZ^ + 2) . (5.24) 

The same holds for j < —1. □ 

We next state a bound for the length 2p of the fundamental cycle. 

Proposition 5.2. The period 2p of the fundamental cycle satisfies 

p < {Vd + l)logD. (5.25) 

Proof. The result of Hua [T7] asserts that if (to,'Uo) is the fundamental positive solution to 
— Dy'^ = 1 then 

to + UqVD 
2 

Using (5.5) we obtain 

\\l^2p\\ < D^+' . (5.26) 

Combining ()5.26p with (|5.24p gives 

p< log||L2p|| < (/D + l)logL> . □ 

The examples D = 52"-+i mentioned in the introduction show that periods p > \'\fD do occur. 
We can use the preceding results determine properties of the matrix W of Lemma |4.2[ 



Lemma 5.3. Let W he the matrix guaranteed to exist in Lemma satisfying (i)-(ix) of 
that lemma. Then 

W = ±{Up)% (5.27) 
for some j with 1 < j < 2p and an integer k satisfying 

\k\=0{\\E\\'/\log\\E\\f) . (5.28) 

Proof. This follows immediately from Proposition 15.11 Lemma 15.21 and (4.41). □ 
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6. Composition of Binary Quadratic Forms 



The certificates we construct use the operation of composition of binary quadratic forms 
introduced by Gauss, in particular the action of composition on the fundamental cycle of reduced 
forms. The idea of analyzing the action of composition on the cycle of reduced forms equivalent 
to / is due to D. Shanks [33] . 

The simplest example of composition of two binary quadratic forms is the identity 

(x? + xl){yj + yl) = {xiyi - X2y2f + {xiy2 + X2yif 



(6.1) 



noted by Fermat, which shows that the product of two numbers which are the sum of two 
squares is itself the sum of two squares. We can rewrite (|6.ip in the form 

(6.2) 



Qiixi,X2)Qi{yi,y2) = Qi{xiyi - X2y2,a^i2/2 + X2yi) 
where Qi = [1, 0, 1], and in matrix terms as 

x*Qixy*Qiy = z*B*QiBz 

where 

X* = [xi,x2], y* = [yi,y2] 
z* = [xiyi,xiy2,X2yi,X2y2] 



and 



B 



1 







1 1 



-1 





(6.3) 

(6.4) 
(6.5) 



In this case we say Qi is composed of Qi and Qi via the bilinear matrix B of (j6.5p . 

In the general case we say a quadratic form Qs = [a3,2bc,C3] is composed of forms Qi = 
[ai, 26i, ci] and Q2 = [a2, 262, C2] via a bilinear matrix B provided the matrix equation 

x*Qixy*Q2y = z^B^QgBz (6.6) 

holds, where x, y, z are given by (16. 4p . the Xj and yj are indeterminates, and B is a 2 x 4 bilinear 
matrix required to be unimodular and oriented (terms defined below). A 2 x 4 matrix B = [bij] 
is: 



(i) unimodular provided the six cofactors 



hi 
b2i 



hi 
b2j 



1 < i < j < 4 



have greatest common divisor 1. 
(ii) oriented provided aiAi2 > and a2Ai3 > 0. 

We write Q3 = Qi o Q2 to indicate composition of forms. 

Our treatment of composition of forms is based on Mathews [25] , Venkov |37j and Lagarias 
[20] . One may also consult Buell [8], Gauss \15\, Shanks [32], Smith [35]. If Q3 is composed of 
two properly primitive forms Qi and Q2 of determinant D, then Q3 itself is properly primitive 
of determinant D. 

In the rest of this section we deal only with properly primitive indefinite forms. We first 
recall the following result on composition. 
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Proposition 6.1. Given any two reduced forms Qi,Q2 of determinant D there is a reduced 
form Q3 of determinant D and a bilinear matrix B such that = Qi ° Q2 via B and 



log||B|| = 0{logD) . 
Proof. This is shown in Lagarias [20\ Theorem 5.5]. □ 



(6.7) 



The key result facilitating the use of composition to create short certificates is the following 
lemma. Before stating it, we recall that the Kronecker product S (8) T of an m x n matrix 
S = [sij] and a k x I matrix G is a km x In matrix 



siiT 

SmlT 



SlnT 



given in block matrix form. 



Lemma 6.1. Let / ~ Qi via Si and I ^ Q2 via 82- If Q3 = Qi o Q2 via B, then I ^ Qs via 
S3 where S3 satisfies the matrix equation 



S3B = Bo(Si0S2) 



where 



and A 



Br 



10 D - A2 

011 2A 



(6.8) 
(6.9) 



D]. 



Proof. It is straightforward to check I = I o I via 



B 



I D 
110 



Using Lagarias [201 Lemma 5.1 (i)], since I k, I via 



1 A 
1 



we obtain I = I o I via Bq. using 



the same [20l Lemma 5.1 (i)], we next conclude I = Qi o Q2 via Bo(Si © S2). Then using [201 
Lemma 5.1 (ii)], we conclude there exists a unimodular integer matrix S3 such that 

S3B = Bo(Si®S2) , 

the desired result. □ 

We note that S3 is uniquely determined by ()6.8p . since B contains an invertible 2x2 
submatrix by the unimodularity condition. 

Now suppose Qi and Q2 are forms in the principal cycle. Lemma 16.11 shows that if 
Q3 = Qi ° Q2 and Q3 is reduced, then Q3 is also in the principal cycle. By Proposition 15.11 
there are integers fci, /c2 and k^ such that Sj = ±Lfc. for 1 < i < 3. What is the relation among 
the fcj's? 
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Lemma 6.2. Let Qi,Q2,Q3 be in the principal cycle and suppose I k, Qi via ±Lfe^, J ~ Q2 
via ±Lfc2, where ki,k2 > 0. Suppose Q3 = Qi o Q2 via B and that 

log||B|| < cilogD . (6.10) 

Let S3 he defined by 

S3B = Bo(So(Si®S2) . 

Lf Si = ±Lfc. and ^ is defined by 

log I |Lfc3 1 1 = log I |Lfc J I + log I |Lfc2 1 1 + ^, 

then we have 

1^1 < (ci + 4)logL» . (6.11) 

Proof. By (16. Sp we have 



IIS3BII = ||Bo(Si 082)11 . (6.12) 

Now 

||So(Si 082)11 < 4||Bo|| ||Si 0S2II 

= 4||Bo|| IISill IIS2II . (6.13) 

We next note that Bq is nonnegative and that Si (8) S2 has constant sign on columns by 
Lemma 5.2 (i). This implies 

||Bo(Si 82)11 > ||Si S2II = IISill IIS2II . (6.14) 

On the other hand 

IIS3BII <2||B|| IIS3II . (6.15) 

Using orient ability the first two columns of B form an invertible 2x2 submatrix Bi and we 
obtain 

l|S3B||>||S,B.||>i|l>||l>|M, (6.16) 

where the center inequality is deduced from 

IIS3II <2||S3Bi|| ||B^i|| 

and 

IIBJ-^II = (detfi)-^||B|| < ||B|| . 

Now iKm . iKm . rniM yield 

l|S3||> ^(IISill IIS2II), (6.17) 

while i^J^, (6.13), i^JU\i yield 

IIS3II <8||Bo|| ||B||(||Si|| IIS2II) . (6.18) 
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Using 

log||Bo|| <\ogD 

and the hypothesis (|6.10p . the inequahties (|6.17p and (|6.18p estabhsh (??). □ 

Lemma [5.21 shows that, for j > 1, log ||Lj|| provides a measure of the size of the subscript j. 
On the other hand, (??) shows that composing a form Q^^^ with itself essentially doubles this 
size. By repeatedly doubling the size we can rapidly move to forms far apart in the principal 
cycle. 

Lemma 6.3. For any Lj with 1 < j < 2p there is a sequence of equivalence matrices V^, and 
reduced forms Qk of length K such that 



(i)Qo = i,Vo 



1 
1 



(a) Each pair {Qk+i,^k+i) is obtained from the preceding {Qk,^k) by a transformation of 
either Type I or Type II, where: 
Type I. Qk+i is the right-neighbor of Qk so that 



and 



Vfc+i = VfcSfc+1 
logllSfcll < ^{logD) . 



Type II. Qk+i = Qki ° Qk2 Bfc+i for some < ki, k2 < k so that 

x*Qixy*Qjy = z*B^iQfc+iBfc+iz , 



and where 



Vfe+iBfc+i — 
log ||Bfc+i 



Bo(Vfc, ®VfcJ 
\\=0{logD) . 



(Hi) 



Qj^ = Q(i)and Yk 
The length K of this sequence satisfies 

K = 9{{logDf) . 



L, . 



(6.19) 
(6.20) 

(6.21) 

(6.22) 
(6.23) 

(6.24) 
(6.25) 

(6.26) 
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Proof. We suppose that the composition of reduced forms is done as in Proposition 16. H so 
that (16.24P is satisfied. We let ci denote the constant implied by the 0-symbol in (I6.24p . Let 
aj denote the minimal number of type I and type II transformations sequentially applied to get 
from / to Q^^^ via Jjj. First note 

aj < j (6.27) 
by using type I transformations only. We will prove by induction on j that for 

2(ci +6)logL» < j < 2p (6.28) 

we have 

Oj < (5 + 4(ci+4)logi?)(log||L,||) . (6.29) 
Suppose ()6.28p holds. Take ji to be some / such that 

- (ci + 5) log - 2 < log I |L,| I - ^ log I |Lj 1 1 < -(ci + 4) log D . (6.30) 

At least one such / exists by (|5.23p and I <l < j. (Note (|5.24p shows ^ log 1 1 Lj 1 1 - (ci +4) log D > 
2.) Hence we can obtain Qfc = Q^''^\^k = where k = aj-^ satisfies ()6.29p by the induction 
hypothesis. Now apply a type II transformation, using o Q^, obtaining Qfe+i = Q''^ and 
Vfc_|_i = Ljj. Using Lemma 6.3 and ()6.30p we have 

2(ci + 4) log D + 2 > log||Lj|| -logllLjJI > . 

Then Lemma 5.3 implies 

0< j-i2 <4(l + (ci+4)logL') . 
Hence 4(1 + (ci + 4) log-D) type I transformations will take us to Q^-'\ Lj. Hence 

aj<aj^+A{{ci+A)logD) + 5. (6.31) 
But the right side inequality of ()6.30p gives 

log||L,J| < ^log||L,-|| <log||Lj|| -1 . (6.32) 

Substituting (j6.29p for ji into (j6.3ip and using (j6.32p establishes (j6.29p for j and completes the 
induction step. □ 

Remark. By a more complicated argument, this bound (j6.26p can be improved to 

K = 0{logD) . 

7. Certificates for Equivalence of Two Indefinite Binary Quadratic Forms 

Lemma [6.31 can immediately be used to provide certificates for the equivalence of two indef- 
inite binary quadratic forms. 

Theorem 7.1. Let Qi and Q2 be two indefinite binary quadratic forms with the same dis- 
criminant. If Q1Q2, there is a certificate of this equivalence requiring at most 

0(log||Qi|| +log||Q2|| + (logI))2M(logZ))) (7.1) 
elementary operations to verify. 
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Proof. A necessary condition for the equivalence of two forms Qi = [ai,2bic] and Q2 
[a2, 262, C2] is that 

G.C.D.{ai,bi,ci) = G.C.D.{a2,b2,C2) =ai 



and 



G.C.D.{ai,2bi,C2) = G.C.D.{a2,2b2,C2) = (72 



By removing ai from the coefficients of both Qi and Q2 we need only consider the case ai = 1. 
In that case the forms are properly primitive if C72 = 1 and improperly primitive if (T2 = 2. 

Suppose first the forms are properly primitive. Replace Q2 = [02,262,02] by Q2 = [02 — 
262,02], its inverse form. Reduce Qi and Q2, obtaining Q1,Q2- This requires 0(log||(5i|| + 
log||Q2||) operations by Proposition 14.11 Compose and Q2 to obtain a reduced form Q^. 
By Proposition 16. II this can be done in 9(M(logL')) operations. 

Now Qi ^ Q2, if and only if Qt, ~ /. This follows from the well-known facts that composi- 
tion of forms induces the structure of an abelian group on equivalence classes [Q] of properly 
primitive forms Q, that [/] is the identity element of this group, and that [Q]~^ = [Q]. (e.g. 
see Mathews [25l Arts. 141, 145].) 

We now take the sequence of reduced forms Qfc showing Qg « / that are guaranteed to exist 
by Lemma 16.31 together with the matrices and involved in the corresponding type I or 
II transformation. For each transformation we verify either ()6.19p or (16.220 . and this requires 
0(M(log-D)) elementary operations. We obtain a total of 0((log Z))^Af(log D)) elementary 
operations in all, by (I6.26p . 

Finally, we verify by induction on k that checking (j6.19p . (j6.22p at each step guarantees 
that all Qk = I- Certainly Qq ~ /. If a type I transformation is used, then Qk+i ~ Qk ~ / by 
definition of equivalence. If a type II transformation is used, then Qi ^ I and Qj ~ / guarantees 
Qk+i = Qi o Qj K, I by Lemma l6. 11 This completes the proof in the properly primitive case. 

We take care of the improperly primitive case by reducing it to the properly primitive case 
by the following expedient. (Mathews [25^ Art. 153].) We first note that improperly primitive 
forms have D = l(mod 4). Let 



Q 



a 6 
c d 



Q{ax + by, cx + dy) 



li D = l(mod 8) and Q is improperly primitive, then Q 



2 
1 



2Q* where Q is properly 



primitive. Furthermore if Qi, Q2 are two such improperly primitive forms then Qi ~ Q2 if and 
only if Qi ~ Q2- may find a certificate for this as above. If D = 5( mod 8) and Q is improp- 



erly primitive, then Q 



2 
1 



2Q(i) , Q 



1 
2 



2Q(2) and Q 



1 1 

2 



2(5^*^ where the 



(5^*^ are all properly primitive. Furthermore if Qi, Q2 ai^e two such improperly primitive forms 
then Qi ~ Q2 if and only if one of Q^*'' ~ Q2^'* for 1 < z < 3. We may find a certificate for this 
as above. In order to get the bound (j7.ip we first reduce the improperly primitive forms and 
then apply the procedure above. This reduction involves only O(log-D) additional operations. 

□ 
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Remark. Since \ \Q\ \ > for any form Q, ()7.ip gives a bound polynomial in the length of 

the input log ||Qi|| + log ||Q2||- 

8. Succinct Certificates 



We now prove the main result. 

Proof of Theorem 1.1. If (j2.ip has an admissible solution with ||x|| < 256||-F||^, then it 
serves as the certificate, and only 0(M(log |F|)) operations are needed to verify it is one. By 
Lemma 13.21 this is always the case for definite or degenerate binary quadratic Diophantine 
equations. 

Now suppose ()2.ip is indefinite, and has admissible solutions, but none with ||x|| < 256||-F||^. 
Then by part (ii) of Lemma 13. 3^ there exists /3i , (32 such that the 

yl - Dyl = g . (8.1) 

has a solution with 

y, = A (mod cDF) (8.2) 

satisfying (j3.16p . (j3.17p . and yi > and the sign of 1/2 is specified and satisfies one of (3.15a), 
(3.15b). Call the system (jS.ip . (18. 2p with the given sign conditions E, and observe that 

\\E\\< MAX{D, \g\,\cDT\) < 6||F||^ (8.3) 



using (13. 4p . By Lemma [33] it suffices to give a certificate for this equation, to guarantee (12. ip 
has an admissible solution. Note that it takes only 0{M (log D) log I?) operations to check the 
conditions of (ii) of Lemma 13.31 hold, in particular 0(M(log Z?) log -D) operations to compute 
^/D to one digit pas the decimal point in (3.15). Note log \ \E\ \ = 9(log ||-F||). 

Lemma [4.21 shows that to show the system E has an admissible solution it suffices to produce 
certificates showing there exist integers h,B,C and 2x2 matrices S,W such that (i)-(v) of 
that lemma hold. The rest of the proof will accomplish this. 

Lemma [4.21 also shows that there exist integers h,B,C and 2x2 matrices S,W such that 
(i)-(ix) of that lemma hold. In the rest of the proof we shall fix this particular choice of 
h, B, C, S, and W, as well as 

Qred = [«o,26o,co] (8.4) 

arising in (iii) of that lemma. In that case (i), (ii) of Lemma [4. 2 1 can be verified in 0(M(log | l-E] |) 
operations by (vi) of that Lemma and (j8.3p . To verify (iii) of Lemma l4.2l we note that it asserts 
that 



ao bo 
bo Co 



G B 
B C 



(8.5) 



Using the bound (14.26P for a reduced form, (vii), (viii) of Lemma l4.2[ and (18. 3p . all entries in 
(|8.5p are 0(log \ \E\\) so (|8.5p can be verified in 0(M(log ||£'||)) operations. 

The essential difficulty in producing the certificates is the possible large size of the entries 
of W, evidenced by the bound (4.41), so that we cannot afford to keep track of these entries as 
fixed point binary integers. Consequently (iv) and (v) of Lemma [4. 2 1 must be verified indirectly. 
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The certificates verifying (iv) and (v) are based on two kinds of formulae, which we cah 
short and long. The short formulae can be evaluated using fixed-point integer arithmetic. We 
will use these to verify (iv). The long formulae involve integers with too many binary digits to 
allow direct evaluation. We use these to verify (v), by evaluating them (mod cDT) to verify 
(j4.36p . and by evaluating them using floating-point arithmetic to enough accuracy to verify 
(07D . 

The formulae are those guaranteed to exist by Lemma 15.31 and Lemma 16.31 By Lemma [ 
the W of Lemma 14.21 can be written in the form 



W = (-l)™(L2p)% (8.6) 
for some j with 1 < j < 2p, for some m = or 1, and for which 

k = 0{\\E\\''' \og\\E\\) . (8.7) 



Equation (18.61) is a long formula. 

Next, by Lemma 16.31 for each and Jjj there exists a chain of reduced forms Qk and 
equivalence matrices having the properties (|6.19p - (16.26p . Formulae (j6.19p and (j6.22p are 
short formulae, while (j6.20p and (j6.23p are long formulae. 

Consider the short formulae for Lj and L2p. The bounds (I4.26p . (I6.2ip and (I6.24p imply 
that each formula can be evaluated exactly using fixed-point integer arithmetic with 0(log \ \E\\) 
binary digits. Each evaluation takes 0(M(log | ji?! |) operations, so (j6.26p implies a total of 
0(M(log ||£'||)(log ||-E||)'^) operations at most in evaluating all the short formulae. In addition 
we must check that the bilinear matrices Bj used in short formulae are unimodular and oriented. 
Using the Euclidean algorithm to check unimodularity takes 0(M(log \ \E\\) log \ \E\\) operations 
for each Bj,, by [201 Prop. 3.3], for a total of 0(M(log 1 |)(log 1 1)^) operations in all. 
Checking orientability requires 0(M(log | |) log | |) operations in all. 

We now verify (iv) of Lemma l4.2i Since / « / via and / ~ Q^^^ via Lj, (8.16) implies 
that 

/ w Q^^^ via W . 
In order to verify (iv) it suffices to check that 

Q(J) = Qrcd (8.8) 

where Qred is as in (f03]l . is the Qk produced in dOH]) for Lj. Checking ([83]) takes another 
0(log||i?||) operations. 

We now describe certificates for (v) of Lemma 14.21 We first must verify 

hui = Qi(mod cDT) i = 1,2 (8.9) 

where 

^ ~^ WS"^ . (8.10) 



Ul 


U3 




' 1 


-A " 


U2 


U4 







1 



We define W to be given by (18. 6p , and the L2p, Lj are defined by the long formulae of Lemma [6.31 
We evaluate all these formulae (mod cDT). Since 

logcDF = 0(log||-E||) , 
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so we can use binary numbers with 0(log||£'||) digits throughout. The long formulae for 
in Lemma 16.31 are evaluated successively. Evaluating each formula (|6.20p (mod cDT) takes 
0(M(log ll-Ell) operations. We next must check in (j6.23p that given Bo,Bfc_|_i, Vj and Vj (mod 
cDT) we can calculate Vfc+i(mod cDT). It is straightforward to calculate Bo(Vfc. V^j). We 
use the unimodularity condition of the matrix B^+i , that the greatest common divisor of its 2 x 2 
bii hj 

5.4], repeatedly using the Euclidean algorithm with the det(Ajj) we can find a factorization 



submatrices Ay- 



is 1. By an algorithm similar to step 1 of Lagarias [201 Theorem 



cDT = mi2rn,i3mi4m23m24m34 (8.11) 

with the rriij pairwise relatively prime and with 

{mij,det{Aij)) = 1 . (8.12) 

for all This takes 0(M(log \ \E\\) log ||-E||) operations. (Alternatively we can guess a set of 
rriij and check that they have the required properties.) Then 



(Aij)-^ = (det(Ai,))- 



b2j - bij 
-b2i bii 



[mod rriij) (8.13) 



and (det Ajj) -"^(mod rriij) is calculated in 0(M(log ||i?||)log \\E\\) operations using [20l Corol- 
lary 3.4]. Hence 

Vfc+i = {Aij)-^[Bo(Vk, ^ Yk,)]ij{mod rrnj) , (8.14) 

where [M]jj denotes the submatrix obtained taking columns i and j, yields Vfc_|_i(mod rriij). 
Finally we use the Chinese reminder theorem on each entry of V^+i separately to obtain 
Vfc_|_i(mod cDT) in 0(M(log ||i?||) log ||£^||) operations, by [201 Prop. 3.6]. Thus we may at 
last obtain L2p,Lj(mod cDT) in 0{M log\\E\\){log\\E\\)^) operations, by (f6?26]) . Next we 
calculate (L2p)^, (L2p)^ etc. by successive squarings and reductions (mod cDT), and use the 
binary expansion of k to evaluate Ty(mod cDT) using (8.6)) in 0(M(log ||i?||)(log ||i?||)^) op- 
erations, noting the bound ()8.7p . Finally ()8.10p is evaluated (mod cDT) and then (18. 9p verified 
in a further 0(M(log 1 1^| |)) operations. Thus (|i36]) is verified in 0(M(log ||£^||)(log ||£^||)3) 
elementary operations. 

Finally we check that the sign conditions (j4.37p of Lemma 14.21 (v) can be verified by evalu- 
ating the long formulae using floating-point arithmetic with floating-point integers maintaining 
Co(logD)^ = 0((log I l-Bl 1)'^) binary digits in both the exponent and fraction parts, where cq is 
a sufficiently large absolute constant fixed once and for all as described below. Basic termi- 
nology and error estimates for floating-point computations are given in Appendix B. We say 
that a normalized floating-point number x = /2^ with ^ < / < 1 approximates x to accuracy 
s significant figures if 

- x| < 2^=-^ . (8.15) 

(Here (e, /) is the representation of x used in the calculation.) We wish to show ui and U2 
are computed to accuracy at least 1 significant figure, which permits determination of their 
signs. Assuming for the moment this accuracy is proved, it is straightforward to estimate 
the total number of elementary operations involved in evaluating all the long formulae to be 
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0(M(log 1 1^1 |)3)(log 11^11)2) which is 0(M(log ||S||)(log ||S||)^). Note here that in evaluating 
Vfc+i by ()6.23p that we merely pick an invertible Aj^, and use 

Vfc+i = (A,,-)"'[BoVfc, (8.16) 

evaluated in floating-point, noting that 

log(det(Ai,)) = 0(log||i5;||) (8.17) 

using (jOij) . 

It remains to estimate the loss of significant figures during the floating-point computations. 
The sources of loss of accuracy in floating-point computations are roundoff error, exponent 
overflow, exponent underflow in multiplication, and loss of accuracy in addition to two nearly 
equal numbers of opposite signs (e.g. this includes exponent underflow during addition as a 
special case). 

By using 0(log ||£J||)^) digits in the exponent part, we guarantee that exponent overflow 
never occurs. Indeed, only 0(log \ \E\\) binary digits are needed to represent the exponent part 
e of any entry of W, since 

e = Om?'\^^g\\E\\?) (8.18) 

by (4.41). It is easy to check that the bound (j8.18p applies to any exponent of every element 
occurring in the long formulae, since the Vj's are just various with 1 < /c < p, to which the 
bounds (I5.23p . (j5.25p apply. Now as long as the floating point calculations agree with the two 
entries of the long formulae to one significant figure, their exponents must agree within ±1 and 
these calculated exponents will then satisfy (|8.18p and exponent overflow cannot occur. This 
demonstrates that exponent overflow cannot occur unless all significant digits have first been 
lost due to the other three sources of error. 

We next show exponent underflow during multiplications can never occur unless all signif- 
icant digits have first been lost due to the remaining two sources of error. Indeed the entries 
of the matrices Vj in Lemma 16.31 are known a priori to be nonzero integers by Lemma l5.1( iii). 
except for Lj with |i| < 2 (and if these occur they may be placed at the beginning of the compu- 
tation, which is done in fixed point as explained below). The entries of W are nonzero integers 
since W = itLj for some \j\ > 2. We may suppose the entries of U are nonzero integers, for 
if some Uj = then since U = Z satisfies the hypotheses of Lemma l4. II the inequalities (j4.9p . 
(j4.10p would imply the Uj are small enough that they could be calculated directly in fixed point 
as certificates in 0(M(log \ \E\\) operations to verify (iv), (v) of Lemma [4.21 Since these entries 
re nonzero integers, the exponents of their floating-point approximations must be > 0, and 
exponent underflow during multiplication cannot occur by Lemma B-1 in Appendix B. (We 
note that some multiplications by zero may occur, but these are exact using (B-16), (B-17) of 
Appendix B.) 

We must now bound the effects of roundoff error and that of addition of nearly equal 
quantities of opposite signs. We start with p = co(log | |)^ significant digits of accuracy. We 
first consider the calculation of the in Lemma 16.21 The entries of Sfc,Bo,Bfc_(_i are known 
to p significant digits by the bounds (j6.2ip . (j6.24p . We will use Lemma B-2 to bound roundoff 
error, and Corollary B-4 to bound addition of nearly equal quantities. Evaluating \k+i by 
the long formula (j6.20p involves a loss of at most 5 significant digits by Lemma B-1, since 
each entry of V^+i uses two floating-point multiplications and one addition, and the quantities 
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added always have the same sign by Lemma 15.11 (i) , (ii) . The crucial step lies in showing that 
evaluating V^+i by the long formula (16.23P (actually by (I8.16P above) involves a loss of at 
most O(log D) significant digits accuracy. Indeed Y^-^ ^ can be evaluated losing at most 3 
significant digits accuracy by Lemma B-1, as only multiplications are involved. Now the bound 
(|6.17p applies to show that 

lVfc||>^(||VfcJ| ||V,,||)|. (8.19) 



hence 



log||Vfe|| >log||VfeJ|+log||VfeJ| -cilogD-1 



^.20) 



using ()6.10p . But all entries of have about the same size by Lemma 15.11 (iii), hence the 
nearest floating-point approximations to each entry of V)^ must have exponents e satisfying 



e > log 1 1 Vfc J I + log 1 1 Vfc, 1 1 - (ci + 2) log D - 3 . 
On the other hand, each entry of Vj^^ (8) Vy^g ^las exponent 



e < log I 



+ log||Vfc2| 



^.21) 



^.22) 



We now evaluate the entries of (I8.16P doing all multiplications first, followed by additions. The 
multiplications lose at most 6 significant digits each, and the resulting exponents satisfy 



e < log 1 1 Vfc J I + log 1 1 Vfc J I + 2ci (log D) + 3 
using (|8.22p . Then the additions producing a given entry of V^+i lose at most 

(3ci + 2)logL> + ll 



^.23) 



significant digits accuracy, using Corollary B-4, using (18.23P as an upper bound on e and (j8.2ip 
as a lower bound on e — ^. Thus at most (8ci + 2) log D + 17 significant digits are lost in 
evaluating Vfc+i using the long formula (|6.23p . and thus at most 0((log 1 |)^) significant 
digits are lost in evaluating L2p and Jjj using Lemma 16.21 Next, we note that the calculation 
of (L2p)^ in formula (j8.6p involves a loss of 9(log-D) significant digits, because O(logZ)) matrix 
multiplications are involved in computing (L2p)^, (L2p)^ etc., and the bounds of Lemma B-2 
apply because all numbers added have the same sign. Calculating W using the long formula 
(|8.6p loses another 5 significant digits; again all quantities added have the same sign. Finally 
we evaluate 



U 



where A = [v -D] • Now 



W 



-A 
1 

1 A 
1 



ws 



us 



^.24) 



so 



yields 



IWII < 2Vd\\v\\ iisi 



log ||U|| > log II W| I - C2 log ||E| 



^.25) 
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for some absolute constant C2, using (4.40). The exponents e of the individual entries of U all 
satisfy 

e > log||W|| - C3log||E|| (8.26) 

using the inequality (j4.10p of Lemma [4.11 (which applies since U = Z). Now evaluate the 
right side of ()8.24p . doing all multiplications first, and then additions. The resulting multiplied 
quantities all have exponents 

e < log 1 1 W| I + (ci + 2) log I |E| I + 3 . (8.27) 

Then Corollary B-4 guarantees we can evaluate U with a loss of at most (ci + C3 + 2) log | li^l | + 7 
significant digits accuracy. We have shown at most 0((log | li^l |)^) significant digits accuracy 
can be lost due to roundoff and adding of nearly equal quantities of opposite sign in evaluating 
U. Choosing cq large enough once and for all, Theorem 11.11 is proved. □ 

Proof of Theorem 11.21 All that need be checked is that the certificates of Theorem 11.11 
can be "guessed" in polynomial time. The bounds (vi)-(ix) of Lemma 14.21 the bounds on k in 
Lemma [53] and on the Sfc+i, B^+i in Lemma [6?3l demonstrate that this is the case. □ 
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Appendix A. Period lengths (mod m) of certain linear recurrences. 

Let {ti,ui) be the least strictly positive solution to Pell's equation 

X"^ - DY"^ = 1 (A.l) 

and set 

e = ti+uiVD. (A.2) 
In this appendix we show the sequences {tk}, {uk} defined by 

(e)'' = tk + UkVD (A.3) 

are periodic (mod m) and we bound the length of the minimal period P[m) for which 

tk+p(m) = ifc(mod m) 

(A.4) 

Uk+p{:m) = nfc(mod m) (A.5) 

both hold. 

The sequences {tk}-,{uk} both satisfy the second order linear recurrence. 

Wk = hwk-i - Wk-2 ■ (A.6) 

Periodicity of solutions to this recurrence (mod m) is closely related to divisibility of by 
m. Carmichael [Qj, [IQJ studied divisibility properties of a class of sequences which includes 
{tk}, {uk} as special cases. Periodicity properties for general linear recurrences were considered 
by Engstrom |14j . Ward [38] and other authors. 

Lemma A— 1. The period p(m) exists. 



Proof. Let e = ti — u\\fD so that 

tt = \(^ + £-') (A.7) 

Pell's equation asserts that 

ee = l. (A.9) 

Thus e, e are units in the ring of integers Od of QiyfT)). For any ideal a in Qd let S(a) denote 
the smallest k such that 

e^ = = l(mod a) (A.IO) 
over Od, such S(g) existing since e,e are invertible (mod g). It's easy to check that 

tfc+ij = tfc(mod m) 



Uk+R = nfc(mod m) 
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where R = S{{2sqrtDm)). Hence 

P{m)\S{{2VDm)) (A.ll) 

exists. □ 

Lemma A-2. // (m, n) = 1 then 

p{mn) = l.c.m.{p{m),p{n)} . (-^-12) 

Proof. This follows from the definition (A-4) and the Chinese Remainder Theorem. □ 

It thus suffices to calculate for prime powers p". 

Lemma A- 3. For all primes p and a> 1, 

P(p"+^)bP(p«) . (A.13) 

Proof. For R = P{p"') we have 

tR = l+p^osi 

UR = p°-S2 (A. 14) 



for some si,S2. Since 
we have 



tpR + UpR\/D = {tR + urVd)p 

p-l/2 



^PR= E [^j^itRy-'^iuRf'D^ (A.15) 

^f«= E LMtRy{uRr-''D'^-^ (a.i6) 

j=0 ^ ■'^ 

Since p\{^) for 1 < j < p — 1, these equations and (A. 14) yield 

tpR = (ifl)f = l(mod p«+i) 

UpR = O(mod p«+i) . 

and (A.13) follows. □ 

In order to bound P{p), let (^) denote the Legendre symbol and Q{p) denote Q((p)). 

Lemma A-4. Let p be an odd prime. 
(i)//(f) = l, then 

P{p)\p-1 (A. 17) 
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I = — ±, LI mi I 

P{p)\2{p + 1). (A.18) 



(ii) If(^) = -l, then 



(iii) If p\D, then 

P{p)\2p . (A. 19) 



(iv) P(2) = 1 or 2. 

'roof. Suppose p 
can be sharpened to 



Proof. Suppose p \ 2D so {^) = ±1. Then examination of (|A77|) - fOO|) shows that (|AlT]) 



P(p)|5(p) . (A.20) 

(i) If (■^) = 1, then (p) factors as (p) = 7172 the product of two distinct conjugate prime ideals 

in Od- Then Oo/'yi — GF{p). Since xP~^ = 1 in GF{p) when x 7^ 0, we have 

for i = 1, 2. Thus 

gP-i _ -p-i _ ^^Q^ 
so S{p)\p- 1. Then (|A:20]) proves (A.17). 

(ii) If (^) = -1, then (p) is inert, and O D/{p) ^ GF{p^). Now x^+i G GF(p) for all 
X G GF{p'^) hence 

ep + 1 = a(mod (p)) . 

for some a G Z. (Note GF{p) = Z/pZ C Od/{p) ) Applying the conjugation automor- 
phism, we have 

eP+^ = a(mod {p)) . 

But ee = 1 hence 

= l(mod {p)) . 

Hence 

g2(p+l) ^ -2(p+l) ^ ^j^Q^ 

and 5(p)|2(p + 1). Then (A.20) implies (lAlS]) . 

(iii) If pIZ) then 

t2 = tl - Duj = tl = l(mod p) 
since tf = 1 + Duf . Then ([A?T5]) . (|A?T6]) apphed with = 2 show 

t2p = (ta)^ = l(mod p) 
= O(mod p) . 

Hence P(p)|2p. 
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(iv) If 2\D then t\ — Du\ = 1 shows t\ = l(mod 4) and 2|m, or 4|D. In either case 
t2 = l(mod 4), U2 = O(mod 2) and P(2)|2. li 2 \ D then = (1,0) or (0,1) 

(mod 2). In the first case P{2) = 1, in the second case, the recurrence (jA.lSP shows 
P{2) =2. □ 

Lemma A-5. For any m, 



Proof. Lemmas A-2 through A-4 imply that if m = Iij{pj)°'i then P{M)\R{M) where 



P{m) < 2m(log m + 1) 




Now 




But 




(A.21) 



and the lemma follows. 



□ 



Remark. By more detailed argument it can be shown that 



P{m) = O(mloglogm) . 
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Appendix B. Floating-Point Computations. 



This appendix gives upper bounds on the magnitude of errors accumulated in floating-point 
computations. We use the conventions and notation of Knuth [14, Sect. 4.2], to which we refer 
for greatest detail. 

We use normalized floating-point numbers with base 2, excess 0, with p digits. Such a number 
will be denoted (e, /) where 

{e,f) = f2'. (B.l) 

Here e is an integer satisfying 

|e| < N (B.2) 
and / is a signed fraction such that 2^/ is an integer and satisfying the normalization condition 

^ < I/I < 1 • (B.3) 

provided / 7^ 0. By convention is (0,0). 

We introduce a notation to distinguish general real numbers from floating-point numbers, 
which are just real numbers satisfying (|B.l|l -( iB^ . To this end we always denote floating-point 
numbers with a bar, i.e., a; is a floating-point number (to be thought of as an approximation to 
the real number x). 

To define the floating-point operations of addition, subtraction, multiplication and division, 
we use the function "Round to p significant figures" defined by 

2^-P[2P-^x-F -J, 2^^i<x<2^ 



Round {x,p) 



2- 



x = (B.4) 



2e~p ^2P~^x - -] , 2*^-1 < -X < 2*= 



2 

We define floating-point addition © by 

r 0, \x + y\< 2-^ 

x®y=< (B.5) 
[ Round (x + y,p), 2'^ <\x + y\<2^ . 

Exponent overflow occurs if \x\y\ > 2^ and x © y is left undefined. We define floating-point 
subtraction of x as floating-point addition of —x. We deflne floating-point multiplication © by 

r 0, \-xy\ < 2-^ 

x^y = < (B.6) 
[ Round {xy,p), if 2'^ < \xy\ < 2^ 

Exponent overflow occurs if \xy\ > 2^ and x © y is left undeflned. Floating-point division (f> 
is defined similarly to multiplication, but we will not need it. Note that these operations are 
well-defined even when exponent underflow occurs. 
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Let x be a floating point number approximating a nonzero real number x. Let 

2^ <x< 2^+1 . (B.7) 
We say x approximates x to s significant digits if 

< 2^-^-1 . (B.8) 
There are four sources of loss of significant digits in floating-point operations. 

1. roundoff error, 

2. exponent overflow, 

3. exponent underflow in multiplication, 

4. addition of two nearly equal quantities of opposite signs (includes exponent underflow). 

We deal with these sources separately. 

Exponent overflow, and exponent underflow in multiplication are the easiest to handle, by 
giving sufficient conditions that they do not occur. By convention multiplication by zero does 
not count as exponent underflow. 

Lemma B-1. Let x = (ei, fi)y = (e2, /2) be two floating-point numbers. If 

-N + 2<ei + e2<N-l (B.9) 
then x®y does not involve exponent overflow or underflow. If 

MAX{ei,e2) <N -2 (B.IO) 
then X ®y does not involve exponent overflow. 



Proof. Immediate. □ 

In the remainder of this Appendix we assume that exponent overflow does not occur. That 
is, this is an extra hypothesis made in all lemmas following. 
In order to analyze roundoff error, we note that when 

2^"^ < \x\ < 2^ (B.ll) 

we have the bound 

IRound -x\< 2^-P-i . (B.12) 

Lemma B-2. Let x — y be two floating-point numbers, both having s significant digits. 

(i) If x,y have the same sign, then at most 2 significant digits are lost in computing x®y. 

(a) If exponent underflow does not occur, at most 3 significant digits are lost in computing 
x y. 
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Proof, (i) Since x, y have the same sign, underflow cannot occur. Then 

x © y = Round {x + y,p) . (B.13) 
Let X, y have exponents ei, 62- Then the exponent 63 of x © y is at least MAX{ei, 62). But 

\x-x\ < 2^1-"-! 

\y-y\ < 2^^-'-^. (B.14) 

Note s < p. Then 

\x(By — {x + y)\ < \x (B y — {x + y)\ + \x — x\ + \y — y\ 

^ + 2''2-'^-i + 2^1"'"^ < 2^^"*+^ (B.15) 

using (B.12), ([BT3l) . 

(ii) Since underflow cannot occur, we have 

X y = Round {xy,p) ■ (B.16) 

If 64 is the exponent of x © then 

64 > ei + 62 - 1 . 

Now 

\xy — xy\ < |x — x| \y\ + \y — y\ \x\ < 2^i+'^2-s 

using (B.14). Hence 

|x©y — xyl < \x y — xyl + \xy — xy\ 

< + 2^i+'=2-s < 5 263-^^-1 ^ 

using (B.12), (IBT6]1 . □ 

We remark that Lemma B-2 (i) also holds when y = and 

|y-y| <2^^-^-i , (B.17) 

and that 

x(g)y = xy = (B.18) 

where y = y = 0. 

We next consider the bounds for addition. 

Lemma B-3. Let xi, . . . ,Xj be floating-point numbers such that all Xi have exponents < e. 
Suppose 

\xi - Xi\ < 2^-'-^ (B.19) 
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for all i, and suppose e — s > —N. Let 

Vj =xi + ... + Xj , (B.20) 

and define vi = xi and 

Vi+i = Vi® Xi+i (B.21) 
for2<i<j -1. Let j < 1^ and k<p. Then 



< 23+2'=+3-s (B 22) 



Proof. We have 

from which it is easy to estabhsh 

Vi < or - 2^-P){l + i2-P) < 2^+^=+^ _ (B_23) 
(The term i2^'f is a roundoff bound.) Now we have 

\vi - Vi\ < \vi - {vi^i + Xi)\ + \xi - Xi\ + \vi^i - ■Uj_i| . (B.24) 
If we let Bi be the exponent of Vi then (B.22) gives 

ei<e + k + 2 . (B.25) 

But 

1^;^ - - x,)| < MAX{2^-f-\2-^) , (B.26) 

the bound 2^^ occurring in the case of underflow. Then apply (B-18) and (B-25) to (B-22) 
and sum over i to obtain 

j 

1% -Vj\< Y^[2^^-P-^ + 2-^ + 2^-^-1] . (B.27) 



i=l 



using (B-24) gives 



^ 2e+2k+l—p _|_ 2iV+fc _|_ 2^~^^~^~^ 



^ 2e+'wk+3—s 

the desired bound. □ 

Lemma B-3 allows one to show that if one knows "a priori" that a sum Xi is not too small 
with respect to its largest term, then the loss of significant digits in calculating a floating-point 
approximation to this sum cannot be large. 
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Corollary B-4. Let xi,...,Xj be floating point numbers approximating xi,...,Xj to s 
significant digits, with the largest \xj\ having exponent e > —N + s. Let 

Sj — Xl -\- . . . -\- Xj , 

Sj — Sj — i (£) Xj^ S'\^ ^ Xl ^ 



Suppose J < 4 and that 
Then sj approximates Sj to at least s — A — 8 significant digits. □ 



\s,\>2^ 



49 



References 

[1] L. Adleman, Number Theoretic Aspects of Computational Complexity, Thesis, Univ. of 
California, Berkeley, 1976. 

[2] L. Adleman and K. Manders, Diophantine Complexity, Proc. 17th IEEE Annual Symp. on 
Foundations of Computer Science (1976), 81-88. 

[3] L. Adleman and K. Manders, Reducibility, Randomness and Intractability, Proc. 9th An- 
nual ACM Symposium on Theory of Computing (1977), 151-163. 

[4] L. Adleman and K. Manders, Intractability Proofs and the Computational Complexity of 
Binary Quadratics, U. C. Berkeley, College of Engineering Technical Report No. UCB/ERL 
M78/30 (1978). 

[5] L. Adleman and K. Manders, Reductions that Lie, Proc. 20th IEEE Symp. on Foundations 
of Computer Science (1979), 397-410. 

[6] M. Agrawal, N. Kayal and N. Saxena, PRIMES is in P, Annals of Math. 160 (2004), 
781-793. 

[7] J. Buchmann and H. C. Williams, On the existence of a short proof for the value of 
the class number and the regulator of a real quadratic field, in: Number Theory and 
Applications(Banff, AB 1988), 327-345, NATO ASI Series C Math. Phys. Sci, No. 265, 
Kluwer Academic Publ., Dordrecht 1989. 

[8] D. Buell, Binary Quadratic Forms. Classical theory and modern computations. Springer- 
Verlag, New York 1989. 

[9] R. D. Carmichael, On the numerical factors of the arithmetic forms a" it Annals of 
Math. 15 (1913), 30-70. 

[10] R. D. Carmichael, A Simple Principle of Unification in the Elementary Theory of Numbers, 
Amer. Math. Monthly 36 (1929), 132-143. 

[11] H. Cohen, A Course in Computational Algebraic Number Theory, Graduate Texts in Math- 
ematics 138, Springer- Verlag: New York 1993. 

[12] M. Davis, Hilbert's Tenth Problem in Unsolvable, Amer. Math. Monthly 80 (1973), 233- 
269. 

[13] M. Davis, H. Putnam and J. Robinson, The Decision Problem for Exponential Diophantine 
Equations, Annals of Math. 74 (1961), 425-436. 

[14] H. T. Engstrom, On Sequences Defined by Linear Recurrence Relations, Trans. Amer. 
Math. Soc. 33 (1931), 210-218. 

[15] C. F. Gauss, Disquisitiones Arithmeticae 1801. (English translation: Yale U. Press, New 
Haven, 1966.) 



50 



[16] E. M. Gurari and O. H. Ibarra, An A^^P-Complete Number-Theoretic Problem, J. ACM 26 
(1979), 567-581. 

[17] L. K. Hua, On the least solution to Pell's equation. Bull. Amer. Math. Soc. 48 (1942), 
731-735. 

[18] D. E. Knuth, The Art of Computer Programming, Vol. 2, Seminumerical Algorithms, 
Addison- Wesley Publ. Co., Reading, Mass. 1969. 

[19] J. C. Lagarias, Succinct Certificates for the Solvability of Binary quadratic Diophantine 
Equations (Extended Abstract), Proc. 20th IEEE Symp. on Foundations of Computer 
Science (1979), 47-54. 

[20] J. C. Lagarias, Worst-case complexity bounds for algorithms in the theory of integral 
quadratic forms, J. of Algorithms 1 (1980), 42-86. 

[21] J. C. Lagarias, On the computational complexity of determining the solvability or unsolv- 
ability of the equation - Dy'^ = -1, Trans. Amer. Math. Soc. 260 (1980), 485-508. 

[22] J. C. Lagarias, Succinct Certificates for the Solvability of Binary quadratic Diophantine 
Equations, Beh Labs Technical Memorandum 81-11216-54, Sept. 28, 1981. 

[23] H. W. Lenstra, Jr, On the calculation of regulators and class numbers of quadratic fields, 
in: Number theory days, 1980 (Exeter 1980), pp. 123-150, London Math. Soc. Lecture 
Notes Series 56, Cambridge University Press, Cambridge 1982. 

[24] K. Manders and L. Adleman, A^P-complete decision problems for binary quadratics, J. 
Comp. Sys. Sci. 16 (1978), 168-184. 

[25] G. B. Mathews, Theory of Numbers, 2nd Ed., New York, 1961 (Reprint). 

[26] Y. Matijasevic, Enumerable Sets are Diophantine, Dokl. Akad. Nauk SSSR 191 (1970), 
279-282. 

[27] G. Miller, Riemann's Hypothesis and Tests for Primality, J. Computer and Systems Science 
13 (1976), 300-317. 

[28] W. Narkiewicz, Elementary and Analytic Theory of Algebraic Numbers, Polish Scientific 
Publishers, Warsaw, 1974. 

[29] V. Pratt, Every Prime has a Succinct Certificate, SIAM J. Computing 4 (1975), 214-220. 

[30] L. Redei, Die 2-Ringklassengruppe des Quadratischen Zahlkorperws und die theorie der 
Pellschen Gleichung, Acta. Math. Acad. Sci. Hung. 4 (1953), 31-87. 

[31] R. L. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and 
public key cryptosystems, Comm. ACM 21 (1978), 120-126. 

[32] D. Shanks, Class number, a theory of factorization and genera, in: 1969 Number Theory 
Institute, Proc. Symp. Pure Math. XX (1971), 415-440. 



51 



[33] D. Shanks, The Infrastructure of a Real Quadratic Field and Its Applications, Proc. 1972 
Number Theory Conf., U. of Colorado, Boulder, Colorado (1972), 217-224. 

[34] S. Smale, Mathematical problems for the next century, in: Mathematics: frontiers and 
perspectives, pp. 271-294, Amer. Math. Soc, Providence RI 2000. 

[35] H. J. S. Smith, Report on the Theory of Numbers, Chelsea Publ. Co., New York (Reprint). 

[36] C. Thiel, Under the assumption of the generalized Riemann hypothesis, verifying the class 
number belongs to NP fl co — NP, in: Algorithmic number theory (Ithaca, NY 1994), PP- 
234-247, Lecture Notes in Computer Science 877, Springer- Verlag, Berlin 1994. 

[37] B. A. Venkov, Elementary Number Theory, Wolters-Noordhoff Publ. Co., Groningen, The 
Netherlands, 1970. 

[38] M. Ward, The arithmetical theory of linear recurring series. Trans. Amer. Math. Soc. 35 
(1933) 600-628. 



52 



